Forum Discussion

Brian_Gibson_30's avatar
Brian_Gibson_30
Icon for Nimbostratus rankNimbostratus
Sep 14, 2016

SAML attributes

Hi folks,

 

I'm trying to set up SSO with Slack. I have most of the config done but I need to send back the username and email address to slack. Slack requires two variables to be sent back. User.Username and User.Email. I've set the following as a SAML attribute.

 

User.Username = %(session.logon.last.email)

 

And then in my access policy I have the following variable assignment.

 

session.logon.last.username = expr {"[string tolower [lindex [split [mcget {session.logon.last.email}] "@"] 0]]"}

 

This should split the email address into 2 values with the first value(0) being the username.

 

The problem is that Slack is seeing the F5 send back User.Username = session.logon.last.username which is no good.

 

Can anyone tell me what I'm doing wrong?

 

  • It should be

    %{session.logon.last.email}
    -- curly brackets. Can you confirm that you are using curly brackets?

  • It should be

    %{session.logon.last.email}
    -- curly brackets. Can you confirm that you are using curly brackets?

    • Brian_Gibson_30's avatar
      Brian_Gibson_30
      Icon for Nimbostratus rankNimbostratus

      That was the problem!! Thank you so much!!

       

      My SE helped me with setting this up and I didn't have a lot of knowledge with using APM much less SAML. A bit of a trial by fire but it looks like it is working properly.

       

  • Assuming variable assignment agent splits username part of the email into session variable 'session.logon.last.username', assigning %{session.logon.last.username} as a value of assertion attribute should do the trick. Make sure to use curly braces.

     

    To validate if correct username is extracted, you may use sessiondump cli tool on BIG-IP and grep for 'session.logon.last.username' values.